Monday, September 10, 2018

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile. One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie." Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations. @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware. And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do! (Sidenote: @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware. You should follow both on Twitter if you care about such things. Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II"

Malware actor chooses from his list of banking targets

In the comments section of the video, someone has shared a screen shot of the botmaster's control panel. In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel

In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018. The server hosting the Anubis II panel has a list of banks that it can present.

Fake Android Login Pages for Banks

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . .

There are also several Crypto Currency organizations listed:

blockchaine

coinbase

localbitcoin

unocoin

As well as some Online Payment, Email, and Social Media sites:

eBay

Facebook

Gmail

PayPal

ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank. Perhaps there is a Wells Fargo Choir? Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir? Sing On!

The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts! At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.
Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment. Feel free to call REDACTED with any questions at 804-xxx-xxxx]
Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]
Quite a few Uber codes were also found in the logs:

In a directory called "/numers/" there were also examples of address book dumps from phone contacts. The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book. In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators. There were far fewer devices for which keylogs were found. Example keylog entries looked like this:

06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common. Many new versions of the malware show up in their collection every day. The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018. Some of the headlines included:

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis". Some of the more popular names for the trojan on VirusTotal include: